Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection
This research focuses on methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.
Organizations are increasingly acquiring commercial-off-the-shelf and open source software products or outsourcing development. Current approaches to acquisition do not account for the risk management issues of complex software supply chains. On-time delivery and costs often get attention, but some of the most serious risks are related to system assurance, the confidence that the system behaves as expected. Software defects, such as design and implementation errors, can lead to unexpected behaviors, system failure, or vulnerabilities that can lead to attacks.
Our approach to assure the security of supply chains can help acquirers in several ways:
- Assist with applying existing techniques to reduce software supply chain risk.
- Provide guidance on managing supply chain risks.
- Help acquirers most effectively use their resources in considering supply chain risks.
See the following publications to learn more about CERT research related to supply chain and COTS assurance:
January 24, 2017 • White Paper
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.read
May 14, 2013 • White Paper
In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work.read
September 1, 2011 • CERT Research Report
In this section of the research report, the authors explain the benefits of investing in building assured systems.read
December 1, 2010 • Technical Note
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.read
September 1, 2010 • Technical Report
This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.read
May 1, 2010 • Technical Note
In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.read